SlideShare ist ein Scribd-Unternehmen logo

Certified Information Systems Security Professional (cissp) Domain “access control”

master student
master student
Bildung
1 von 9
Downloaden Sie, um offline zu lesen
Certified Information Systems Security Professional (cissp) Report paper Domain “access control” Supervised by instructor dogus sarica prepared by zaid dawad al-rustom (20112465)
Certified Information Systems Security Professional (cissp) Domain “access control” Definitions First thing I will present some definitions about Certified Information Systems Security Professional (cissp), Certified Information Systems Security Professional (CISSP) is an independent information security certification governed by International Information Systems Security Certification Consortium also known as (ISC) ². As of November 2012, (ISC)² reports 84,596 members hold the CISSP certification worldwide, in143countries. InJune2004, theCISSPhasobtainedaccreditationby ANSI ISO/IECStandard17024:2003 accreditatio n. It is also formally approved by the U.S. Department of Defense (DoD) in both their Information Assurance Technical (IAT) and Managerial (IAM) categories for their DoDD 8570 certification requirement. The CISSP has been adopted as a baseline for the U.S. National Security Agency's ISSEP program. My definition it is an international certificate depends on it to secure the data in computers, made by a specialist computer security programmer group to provide a standard security certificate, the main advantage from this is to put many computer security laws and ethical rules prevent us against internet information crimes. The 10 Domains: 1. Security Management Practices 2. Access Control Systems & Methodology 3. Law, Investigations, Ethics 4. Physical Security 5. Business Continuity & Disaster Recovery Planning 6. Security Architecture & Models 7. Cryptography 8. Telecommunications & Network Security 9. Applications & Systems Development 10. Operations Security.
Access control "The first line of defense" Some attacks let's look at some of the different attacks on passwords there simply is called the dictionary attack brute force attacked or a combination would call a hybrid attack first of all the dictionary type what is a dictionary attack ,first of all password is not a password and clear text in the file on your computer it's a hash of the password so dictionary attacked basically takes every word in the dictionary creates ahead and then compares the hash with the file on the computer and I think it's a match that it looks back at the word it used to create that action and password a brute force attacked as just that if tries all possible combinations in order to get your hash or create your password, This type force attacked well always succeed online it literally prize all of those trust every possible combination where some of the things that you can do to mitigate those attacks well, first of all the obvious one is don't send your passwords clear text, or don't use common words dictionary words. There are some tools out there Satan being one of them that you can use to look at that password checkers, to see how secure they are identifies those that are weak and then simply change those. Access control administration The organization has to decide access control model they're going to implement where there is going to be DAC or MAC whatever they can be used expect to find that in the security policy then the technologies and techniques that are going to support that model need to be identified and they need to be put in place the standards need to be developed policies they develop the procedures need to be developed and put in place and then the next question they have to answer is how are we going to manages? are we going to any centrally one central location is going to handle everything that might work for small organization but when you get into a large
organization particularly multinational or international or even across many country, a centralized approach may not be the best solution for you and you may want to decentralize you may only want to decentralize a portion of that to someone that would refer to as the hybrid approach were let's say you centrally manage the network with them for local printers for local file shares you centralize that at that particular location so much use a hybrid approach for the management of that par for the administration of that when we talk about the centralized access control we have one into the wanted location that is making the decision with regarding access senior management has to decide that has to be defined in the security policy data owner makes the ultimate decision in senior management besides what they're going to have in place in order to support that are they going to use something like radiance or attack exploits or the new version of a radius diameter as their centralized access control the words you've got one location that location is controlling access for everybody . Centralized access control I will give an example to discuss centralized access control It is a handshaking protocol that allows that radius server to provide the authentication authorization information to the networks server and radius client we dialing we access that radius server directly certain server will contain a database of users and credentials, that radius server may have be configured to give you access to another leader a lightweight directory access protocol server that has the credentials on it for example radius server could be configured to access active directory and windows and provide that database abusers and credentials and then there needs to be communication between the radius client and the server in that communication needs to be protected , the user initiates that point-to-point protocol authentication with the provider the radius client than prompts the user for their credentials user types and the user id password , than checks those credentials either locally in its own database or against the act let's say active directory to this and then says back here in accept or reject or it may send a challenge response back and if successful then radius will allow the client access to the network so you can get there on the network and do whatever you want to.
Access control methodologies Administrative:  Group membership  Time of day  Transaction type The methodologies for access control administrative technical and physical with administrative the group membership or group remember off what time of day or transaction type so from an administrative methodology we can restrict access to data based on time today payroll files are not accessed Sunday morning at 3:00am time of day or transaction type you're not allowed to do a transaction type equipment to do leading the database table administrative access control methodologies. Technical access control  Directory service  Network architecture  Network access  Encryption  Auditing Directory service The technical layer of access control what are the techno classics access controls we've already mentioned directory service but the way that you architect the network also can be an access control and that's technical? the network access as a technical control as his encryption and let me point out one thing auditing is a technical access control audit logs our technical controls because that tracks activity of the users and systems it’s not preventative it can't prevent someone from accessing but it helps an administrator system administrator understand how the access to a place so in the future they can make changes, for directory services there are different types all of the x.500, LDAP, network directory services, and active directory all of those four different types of directory services and all of those are technical controls which directory services I saw published there except
x.500 which is the lightweight directory access protocol which basically adapts the directory to work over TCPIP. Network architecture Where you place firewalls for example you may have an internal network with in your trusted network let's say that that's just for the top secret data and you put up our wall in front of that top secret data portion of your network to block it so basically what you're doing is you're architecting network to control access you put a DMZ place you put your bastion host servers that you've removed all the extra services imports from in a DMZ the firewall front of the DMZ you put the firewall after the DMZ how you architect the network is going to control? Who has access? And who can get here? Physical layer  Network segregation  Perimeter security  Computer controls  Work area separation  cabling Access control of the physical controls network segregation, perimeter security, computer controls, work area separation, and cable. network segregationist just that you can physically separate the network you can logically separate the network physically separated so that the wiring one set a routers one set of switches physically separated from other parts of the network are logically with virtual LAN’s with primary security you've got those that locks on the doors man perhaps to get into the building guards all of those are physical security controls. Computer controls like a lock on your laptop so you lock it to your desk so people can't walk off on with it for those of you better under the requirement that you can't use the USB ports a physically removing them from the device or putting a proxy into that so you can’t put the USB device into that slot because the slots been filled up with the proxy those are all types of computer controls and then were curious separation I have one client the state agency
who has direct connection with a federal agency they're both in the same physical building on the same floor but you have to go through the state agency to get to the back of the room to another private door that only the federal employees are allowed to go through and they have their own internal men trapped in order to get into the federal area to me that's work area separation and then cabling actually keeping the cables separate. Those are all types of physical layer or physical controls networks. Identification and Authentication Identification and authentication are the keystones of most access control systems. Identification is the act of a user professing an identity to a system, usually in the form of a log-on ID to the system. Identification establishes user accountability for the actions on the system. Authentication is verification that the user’s claimed identity is valid and is usually implemented through a user password at log-on time. Authentication is based on the following three factor types: 1. Something you know, such as a PIN or password 2. Something you have, such as an ATM card or smart card 3. Something you are (physically), such as a fingerprint or retina scan Passwords Passwords can be compromised and must be protected. In the ideal case, a password should only be used once. This “one-time password” provides maximum security because a new password is required for each new log-on. A password that is the same for each log-on is called a static password. A password that changes with each log-on is termed a dynamic password. The changing of passwords can also fall between these two extremes. Passwords can be required to change monthly, quarterly, or at other intervals, depending on the criticality of the information needing protection and the password’s frequency of use. Obviously, the more times a password is used, the more chance there is of it being compromised. A passphrase is a sequence of characters that is usually longer than the allotted number for a password. The passphrase is converted into a virtual password by the system.
Biometrics An alternative to using passwords for authentication in logical or technical access control is biometrics. Biometrics are based on the Type 3 authentication mechanism something you are. Biometrics are defined as an automated means of identifying or authenticating the identity of a living person based on physiological or behavioral characteristics. In biometrics, identification is a “one-to-many” search of an individual’s characteristics from a database of stored images. Authentication in biometrics is a “one to- one” search to verify a claim to an identity made by a person. Biometrics is used for identification in physical controls and for authentication in logical controls. The following are typical biometric characteristics that are used to uniquely authenticate an individual’s identity:  Fingerprints  Retina scans  Iris scans  Facial scans  Palm scans  Hand geometry  Voice  Handwritten signature dynamics Single Sign-On (SSO) Single Sign-On (SSO) addresses the cumbersome situation of logging on multiple times to access different resources. A user must remember numerous passwords and IDs and may take shortcuts in creating passwords that may be open to exploitation. In SSO, a user provides one ID and password per work session and is automatically logged-on to all the required applications. For SSO security, the passwords should not be stored or transmitted in the clear. SSO applications can run either on a user’s workstation or on authentication servers. The advantages of SSO include having the ability to use stronger passwords, easier administration of changing or deleting the passwords, and requiring less time to access resources. The major disadvantage of many SSO implementations
is that once a user obtains access to the system through the initial logon, the user can freely roam the network resources without any restrictions. Conclusion We talked about that you could have physical or you can have logical of virtual land let's say for top secret of virtual for secret and in a virtual for public information or for unclassified data. I am going to conclude this subject on access control, we've talked about access control as being the first line of defense we've talked about how people access data and the resources that go along to make that happen the main goal is to protect resource from unauthorized access. the models discretionary access control mandatory access control role based access control and rule based access control and then whether you want to manage access control either centrally or decentralized or whether you want to use a hybrid approach we talked about the fact that controls can be administrative physical or technical controls and that regardless of whether they're administrative physical or technical those controls can give you preventative detective and recovery services I hope you've enjoyed this article about access control and I look forward to seeing you again hoca for next semester and excuse me for my English language errors Reference: 1. http://en.wikipedia.org/wiki/Certified_Information_Systems_Security_Pro fessional 2. http://www.ntgtraining.com/courses/courses_cissp_cbk_10.html 3. The CISSP Prep Guide—Mastering the Ten Domains of Computer Security Ronald L. Krutz Russell Dean Vines Wiley Computer Publishing John Wiley & Sons, Inc.

Empfohlen

Slide Deck CISSP Class Session 4
Slide Deck CISSP Class Session 4Slide Deck CISSP Class Session 4
Slide Deck CISSP Class Session 4
FRSecure
 
CIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control ConvergenceCIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control Convergence
CloudIDSummit
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
newbie2019
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
Priyanka Aash
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Chaitanya chandra sekhar
 
Security and management
Security and managementSecurity and management
Security and management
ArtiSolanki5
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte
 

Empfohlen

Slide Deck CISSP Class Session 4
Slide Deck CISSP Class Session 4Slide Deck CISSP Class Session 4
Slide Deck CISSP Class Session 4
FRSecure
 
CIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control ConvergenceCIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control Convergence
CloudIDSummit
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
newbie2019
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
Priyanka Aash
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Chaitanya chandra sekhar
 
Security and management
Security and managementSecurity and management
Security and management
ArtiSolanki5
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
Splunk
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general att
SHIVA101531
 
DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0
Shah Sheikh
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioieh
Anne Starr
 
1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmt
madunix
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
Mohammad Ashfaqur Rahman
 
Information security principles
Information security principlesInformation security principles
Information security principles
Dan Morrill
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
UBM_Design_Central
 
Residency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resiResidency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resi
SHIVA101531
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Hunting
n|u - The Open Security Community
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineering
Sweta Kumari Barnwal
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access control
Elimity
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
madunix
 
ATP Technology Pillars
ATP Technology PillarsATP Technology Pillars
ATP Technology Pillars
Priyanka Aash
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...
Judith Beckhard Cardoso
 
Cisa ransomware guide
Cisa ransomware guideCisa ransomware guide
Cisa ransomware guide
anpapathanasiou
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
WAJAHAT IQBAL
 
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Michele Chubirka
 
Phases of Incident Response
Phases of Incident ResponsePhases of Incident Response
Phases of Incident Response
EC-Council
 
From Business Architecture to Security Architecture
From Business Architecture to Security ArchitectureFrom Business Architecture to Security Architecture
From Business Architecture to Security Architecture
Priyanka Aash
 
CISSP introduction 2016 Udemy Course
CISSP introduction 2016 Udemy CourseCISSP introduction 2016 Udemy Course
CISSP introduction 2016 Udemy Course
Adrian Mikeliunas
 
Slide Deck Class Session 8 – FRSecure CISSP Mentor Program
Slide Deck Class Session 8 – FRSecure CISSP Mentor ProgramSlide Deck Class Session 8 – FRSecure CISSP Mentor Program
Slide Deck Class Session 8 – FRSecure CISSP Mentor Program
FRSecure
 

Weitere ähnliche Inhalte

Was ist angesagt?

Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioieh
Anne Starr
 
1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmt
madunix
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
madunix
 
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Michele Chubirka
 

Was ist angesagt? (20)

Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general att
 
DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioieh
 
1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmt
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
 
Information security principles
Information security principlesInformation security principles
Information security principles
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
 
Residency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resiResidency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resi
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Hunting
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineering
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access control
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 
ATP Technology Pillars
ATP Technology PillarsATP Technology Pillars
ATP Technology Pillars
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...
 
Cisa ransomware guide
Cisa ransomware guideCisa ransomware guide
Cisa ransomware guide
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
 
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
 
Phases of Incident Response
Phases of Incident ResponsePhases of Incident Response
Phases of Incident Response
 
From Business Architecture to Security Architecture
From Business Architecture to Security ArchitectureFrom Business Architecture to Security Architecture
From Business Architecture to Security Architecture
 

Andere mochten auch

3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models
7wounders
 
Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5
madunix
 

Andere mochten auch (12)

CISSP introduction 2016 Udemy Course
CISSP introduction 2016 Udemy CourseCISSP introduction 2016 Udemy Course
CISSP introduction 2016 Udemy Course
 
Slide Deck Class Session 8 – FRSecure CISSP Mentor Program
Slide Deck Class Session 8 – FRSecure CISSP Mentor ProgramSlide Deck Class Session 8 – FRSecure CISSP Mentor Program
Slide Deck Class Session 8 – FRSecure CISSP Mentor Program
 
How to Prepare for the CISSP Exam
How to Prepare for the CISSP ExamHow to Prepare for the CISSP Exam
How to Prepare for the CISSP Exam
 
Slide Deck CISSP Class Session 6
Slide Deck CISSP Class Session 6Slide Deck CISSP Class Session 6
Slide Deck CISSP Class Session 6
 
5 Ways To Improve Cissp Exam Score Without Studying
5 Ways To Improve Cissp Exam Score Without Studying5 Ways To Improve Cissp Exam Score Without Studying
5 Ways To Improve Cissp Exam Score Without Studying
 
Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3
 
3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models
 
Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5
 
Slide Deck Class Session 11 – FRSecure CISSP Mentor Program
Slide Deck Class Session 11 – FRSecure CISSP Mentor ProgramSlide Deck Class Session 11 – FRSecure CISSP Mentor Program
Slide Deck Class Session 11 – FRSecure CISSP Mentor Program
 
Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5
 
2 Security Architecture+Design
2 Security Architecture+Design2 Security Architecture+Design
2 Security Architecture+Design
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 

Ähnlich wie Certified Information Systems Security Professional (cissp) Domain “access control”

SANS 20 Security Controls
SANS 20 Security ControlsSANS 20 Security Controls
SANS 20 Security Controls
Casey Wimmer
 
Introduction to Access Control Week6 Part1-IS Revis.docx
Introduction to Access Control Week6 Part1-IS Revis.docxIntroduction to Access Control Week6 Part1-IS Revis.docx
Introduction to Access Control Week6 Part1-IS Revis.docx
mariuse18nolet
 
CIS502 discussion post responses.Respond to the colleagues posts.docx
CIS502 discussion post responses.Respond to the colleagues posts.docxCIS502 discussion post responses.Respond to the colleagues posts.docx
CIS502 discussion post responses.Respond to the colleagues posts.docx
mccormicknadine86
 
Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...
Brianna Johnson
 
2.· Unshielded Twisted Pair (UTP) Cables· Shielded Twisted Pai.docx
2.· Unshielded Twisted Pair (UTP) Cables· Shielded Twisted Pai.docx2.· Unshielded Twisted Pair (UTP) Cables· Shielded Twisted Pai.docx
2.· Unshielded Twisted Pair (UTP) Cables· Shielded Twisted Pai.docx
vickeryr87
 
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docxANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
write4
 
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docxANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
write4
 
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docxANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
write31
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
ShivamSharma909
 
Remote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal ThingRemote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal Thing
Karen Oliver
 
IMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKING
IMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKINGIMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKING
IMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKING
International Journal of Technical Research & Application
 

Ähnlich wie Certified Information Systems Security Professional (cissp) Domain “access control” (20)

Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud security
 
SANS 20 Security Controls
SANS 20 Security ControlsSANS 20 Security Controls
SANS 20 Security Controls
 
Introduction to Access Control Week6 Part1-IS Revis.docx
Introduction to Access Control Week6 Part1-IS Revis.docxIntroduction to Access Control Week6 Part1-IS Revis.docx
Introduction to Access Control Week6 Part1-IS Revis.docx
 
P3 m2
P3 m2P3 m2
P3 m2
 
CIS502 discussion post responses.Respond to the colleagues posts.docx
CIS502 discussion post responses.Respond to the colleagues posts.docxCIS502 discussion post responses.Respond to the colleagues posts.docx
CIS502 discussion post responses.Respond to the colleagues posts.docx
 
Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...
 
2.· Unshielded Twisted Pair (UTP) Cables· Shielded Twisted Pai.docx
2.· Unshielded Twisted Pair (UTP) Cables· Shielded Twisted Pai.docx2.· Unshielded Twisted Pair (UTP) Cables· Shielded Twisted Pai.docx
2.· Unshielded Twisted Pair (UTP) Cables· Shielded Twisted Pai.docx
 
Implementing Active Directory and Information Security Audit also VAPT in Fin...
Implementing Active Directory and Information Security Audit also VAPT in Fin...Implementing Active Directory and Information Security Audit also VAPT in Fin...
Implementing Active Directory and Information Security Audit also VAPT in Fin...
 
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docxANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
 
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docxANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
 
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docxANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
ANSWER QUESTIONS AND RESPOND TO BOTH Your CISO was very.docx
 
Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
 
Remote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal ThingRemote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal Thing
 
Third Party Access Control
Third Party Access ControlThird Party Access Control
Third Party Access Control
 
ethical hacking report
ethical hacking report ethical hacking report
ethical hacking report
 
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
 
Physical/Network Access Control
Physical/Network Access ControlPhysical/Network Access Control
Physical/Network Access Control
 
Data security in practice
Data security in practiceData security in practice
Data security in practice
 
IMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKING
IMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKINGIMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKING
IMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKING
 

Kürzlich hochgeladen

1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 

Kürzlich hochgeladen (20)

Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
Asian American Pacific Islander Month DDSD 2024.pptx
Asian American Pacific Islander Month DDSD 2024.pptxAsian American Pacific Islander Month DDSD 2024.pptx
Asian American Pacific Islander Month DDSD 2024.pptx
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 

Certified Information Systems Security Professional (cissp) Domain “access control”

  • 1. Certified Information Systems Security Professional (cissp) Report paper Domain “access control” Supervised by instructor dogus sarica prepared by zaid dawad al-rustom (20112465)
  • 2. Certified Information Systems Security Professional (cissp) Domain “access control” Definitions First thing I will present some definitions about Certified Information Systems Security Professional (cissp), Certified Information Systems Security Professional (CISSP) is an independent information security certification governed by International Information Systems Security Certification Consortium also known as (ISC) ². As of November 2012, (ISC)² reports 84,596 members hold the CISSP certification worldwide, in143countries. InJune2004, theCISSPhasobtainedaccreditationby ANSI ISO/IECStandard17024:2003 accreditatio n. It is also formally approved by the U.S. Department of Defense (DoD) in both their Information Assurance Technical (IAT) and Managerial (IAM) categories for their DoDD 8570 certification requirement. The CISSP has been adopted as a baseline for the U.S. National Security Agency's ISSEP program. My definition it is an international certificate depends on it to secure the data in computers, made by a specialist computer security programmer group to provide a standard security certificate, the main advantage from this is to put many computer security laws and ethical rules prevent us against internet information crimes. The 10 Domains: 1. Security Management Practices 2. Access Control Systems & Methodology 3. Law, Investigations, Ethics 4. Physical Security 5. Business Continuity & Disaster Recovery Planning 6. Security Architecture & Models 7. Cryptography 8. Telecommunications & Network Security 9. Applications & Systems Development 10. Operations Security.
  • 3. Access control "The first line of defense" Some attacks let's look at some of the different attacks on passwords there simply is called the dictionary attack brute force attacked or a combination would call a hybrid attack first of all the dictionary type what is a dictionary attack ,first of all password is not a password and clear text in the file on your computer it's a hash of the password so dictionary attacked basically takes every word in the dictionary creates ahead and then compares the hash with the file on the computer and I think it's a match that it looks back at the word it used to create that action and password a brute force attacked as just that if tries all possible combinations in order to get your hash or create your password, This type force attacked well always succeed online it literally prize all of those trust every possible combination where some of the things that you can do to mitigate those attacks well, first of all the obvious one is don't send your passwords clear text, or don't use common words dictionary words. There are some tools out there Satan being one of them that you can use to look at that password checkers, to see how secure they are identifies those that are weak and then simply change those. Access control administration The organization has to decide access control model they're going to implement where there is going to be DAC or MAC whatever they can be used expect to find that in the security policy then the technologies and techniques that are going to support that model need to be identified and they need to be put in place the standards need to be developed policies they develop the procedures need to be developed and put in place and then the next question they have to answer is how are we going to manages? are we going to any centrally one central location is going to handle everything that might work for small organization but when you get into a large
  • 4. organization particularly multinational or international or even across many country, a centralized approach may not be the best solution for you and you may want to decentralize you may only want to decentralize a portion of that to someone that would refer to as the hybrid approach were let's say you centrally manage the network with them for local printers for local file shares you centralize that at that particular location so much use a hybrid approach for the management of that par for the administration of that when we talk about the centralized access control we have one into the wanted location that is making the decision with regarding access senior management has to decide that has to be defined in the security policy data owner makes the ultimate decision in senior management besides what they're going to have in place in order to support that are they going to use something like radiance or attack exploits or the new version of a radius diameter as their centralized access control the words you've got one location that location is controlling access for everybody . Centralized access control I will give an example to discuss centralized access control It is a handshaking protocol that allows that radius server to provide the authentication authorization information to the networks server and radius client we dialing we access that radius server directly certain server will contain a database of users and credentials, that radius server may have be configured to give you access to another leader a lightweight directory access protocol server that has the credentials on it for example radius server could be configured to access active directory and windows and provide that database abusers and credentials and then there needs to be communication between the radius client and the server in that communication needs to be protected , the user initiates that point-to-point protocol authentication with the provider the radius client than prompts the user for their credentials user types and the user id password , than checks those credentials either locally in its own database or against the act let's say active directory to this and then says back here in accept or reject or it may send a challenge response back and if successful then radius will allow the client access to the network so you can get there on the network and do whatever you want to.
  • 5. Access control methodologies Administrative:  Group membership  Time of day  Transaction type The methodologies for access control administrative technical and physical with administrative the group membership or group remember off what time of day or transaction type so from an administrative methodology we can restrict access to data based on time today payroll files are not accessed Sunday morning at 3:00am time of day or transaction type you're not allowed to do a transaction type equipment to do leading the database table administrative access control methodologies. Technical access control  Directory service  Network architecture  Network access  Encryption  Auditing Directory service The technical layer of access control what are the techno classics access controls we've already mentioned directory service but the way that you architect the network also can be an access control and that's technical? the network access as a technical control as his encryption and let me point out one thing auditing is a technical access control audit logs our technical controls because that tracks activity of the users and systems it’s not preventative it can't prevent someone from accessing but it helps an administrator system administrator understand how the access to a place so in the future they can make changes, for directory services there are different types all of the x.500, LDAP, network directory services, and active directory all of those four different types of directory services and all of those are technical controls which directory services I saw published there except
  • 6. x.500 which is the lightweight directory access protocol which basically adapts the directory to work over TCPIP. Network architecture Where you place firewalls for example you may have an internal network with in your trusted network let's say that that's just for the top secret data and you put up our wall in front of that top secret data portion of your network to block it so basically what you're doing is you're architecting network to control access you put a DMZ place you put your bastion host servers that you've removed all the extra services imports from in a DMZ the firewall front of the DMZ you put the firewall after the DMZ how you architect the network is going to control? Who has access? And who can get here? Physical layer  Network segregation  Perimeter security  Computer controls  Work area separation  cabling Access control of the physical controls network segregation, perimeter security, computer controls, work area separation, and cable. network segregationist just that you can physically separate the network you can logically separate the network physically separated so that the wiring one set a routers one set of switches physically separated from other parts of the network are logically with virtual LAN’s with primary security you've got those that locks on the doors man perhaps to get into the building guards all of those are physical security controls. Computer controls like a lock on your laptop so you lock it to your desk so people can't walk off on with it for those of you better under the requirement that you can't use the USB ports a physically removing them from the device or putting a proxy into that so you can’t put the USB device into that slot because the slots been filled up with the proxy those are all types of computer controls and then were curious separation I have one client the state agency
  • 7. who has direct connection with a federal agency they're both in the same physical building on the same floor but you have to go through the state agency to get to the back of the room to another private door that only the federal employees are allowed to go through and they have their own internal men trapped in order to get into the federal area to me that's work area separation and then cabling actually keeping the cables separate. Those are all types of physical layer or physical controls networks. Identification and Authentication Identification and authentication are the keystones of most access control systems. Identification is the act of a user professing an identity to a system, usually in the form of a log-on ID to the system. Identification establishes user accountability for the actions on the system. Authentication is verification that the user’s claimed identity is valid and is usually implemented through a user password at log-on time. Authentication is based on the following three factor types: 1. Something you know, such as a PIN or password 2. Something you have, such as an ATM card or smart card 3. Something you are (physically), such as a fingerprint or retina scan Passwords Passwords can be compromised and must be protected. In the ideal case, a password should only be used once. This “one-time password” provides maximum security because a new password is required for each new log-on. A password that is the same for each log-on is called a static password. A password that changes with each log-on is termed a dynamic password. The changing of passwords can also fall between these two extremes. Passwords can be required to change monthly, quarterly, or at other intervals, depending on the criticality of the information needing protection and the password’s frequency of use. Obviously, the more times a password is used, the more chance there is of it being compromised. A passphrase is a sequence of characters that is usually longer than the allotted number for a password. The passphrase is converted into a virtual password by the system.
  • 8. Biometrics An alternative to using passwords for authentication in logical or technical access control is biometrics. Biometrics are based on the Type 3 authentication mechanism something you are. Biometrics are defined as an automated means of identifying or authenticating the identity of a living person based on physiological or behavioral characteristics. In biometrics, identification is a “one-to-many” search of an individual’s characteristics from a database of stored images. Authentication in biometrics is a “one to- one” search to verify a claim to an identity made by a person. Biometrics is used for identification in physical controls and for authentication in logical controls. The following are typical biometric characteristics that are used to uniquely authenticate an individual’s identity:  Fingerprints  Retina scans  Iris scans  Facial scans  Palm scans  Hand geometry  Voice  Handwritten signature dynamics Single Sign-On (SSO) Single Sign-On (SSO) addresses the cumbersome situation of logging on multiple times to access different resources. A user must remember numerous passwords and IDs and may take shortcuts in creating passwords that may be open to exploitation. In SSO, a user provides one ID and password per work session and is automatically logged-on to all the required applications. For SSO security, the passwords should not be stored or transmitted in the clear. SSO applications can run either on a user’s workstation or on authentication servers. The advantages of SSO include having the ability to use stronger passwords, easier administration of changing or deleting the passwords, and requiring less time to access resources. The major disadvantage of many SSO implementations
  • 9. is that once a user obtains access to the system through the initial logon, the user can freely roam the network resources without any restrictions. Conclusion We talked about that you could have physical or you can have logical of virtual land let's say for top secret of virtual for secret and in a virtual for public information or for unclassified data. I am going to conclude this subject on access control, we've talked about access control as being the first line of defense we've talked about how people access data and the resources that go along to make that happen the main goal is to protect resource from unauthorized access. the models discretionary access control mandatory access control role based access control and rule based access control and then whether you want to manage access control either centrally or decentralized or whether you want to use a hybrid approach we talked about the fact that controls can be administrative physical or technical controls and that regardless of whether they're administrative physical or technical those controls can give you preventative detective and recovery services I hope you've enjoyed this article about access control and I look forward to seeing you again hoca for next semester and excuse me for my English language errors Reference: 1. http://en.wikipedia.org/wiki/Certified_Information_Systems_Security_Pro fessional 2. http://www.ntgtraining.com/courses/courses_cissp_cbk_10.html 3. The CISSP Prep Guide—Mastering the Ten Domains of Computer Security Ronald L. Krutz Russell Dean Vines Wiley Computer Publishing John Wiley & Sons, Inc.